Mobile Application Management (MAM) has traditionally been deployed as a technology layered on top of Mobile Device Management (MDM). In fact, for many use cases, MDM technology is required to make MAM work. Here are some examples:
- An MDM device passcode policy is required to apply device level encryption which provides application layer security.
- MDM is used to push and maintain user certificates for application layer security.
- MDM is required for Per App VPNs.
- MDM is required for data in use controls such as open-in.
- MDM is required for application Single Sign-On
As you can see, with MAM there has always been a dependency on MDM. Deployment options for EMM typically include MDM or MDM+MAM, but not MAM-only.
I’m here to tell you that Citrix XenMobile offers the highest levels of mobile data and app security without the requirement of device enrollment via MDM. It’s a strategy Citrix refers to as MAM-first.
We realize that with EMM, a large percentage of devices are personally owned (BYO). The greatest complaint and barrier to EMM adoption is that the average person doesn’t feel comfortable with their personal device being managed via MDM. It’s intrusive.
Can my company read my personal texts? Can IT track my location? Can IT read my personal e-mails? Can IT access my Facebook? Can IT listen to my voicemails? Can IT initiate a factory device reset that would erase all my personal photos? These are legitimate concerns.
Our customers have been looking for new ways of providing EMM without requiring device enrollment. The catch, it needs to provide security that’s AT LEAST as good as MDM + MAM.
XenMobile Server 10.3.5, now available, continues to give customers the option of MDM, MDM + MAM or MAM-only all from a single console and server.
How does it work?
XenMobile architecture was developed in such a way that MDM can easily be removed from the equation. All of the components required for securing data-at-rest, data-in-motion and data-in-use reside independently of the MDM layer. As you can see in the diagram above, the application layer security is completely independent from the MDM layer.
“MDM-like” polices exists at the app level rather than the device level. For example, with MDM you can lock, wipe or selectively wipe a device. With XenMobile MAM polices, you can also lock, wipe and selectively wipe, but rather than apply these actions to the entire device (a personally owned device in many cases) you can apply them to each individually managed app.
Let’s talk about encryption. Our largest competitor in the EMM market claims to offer app-level application encryption. Application data with their solution is encrypted, but it’s encrypted with the built-in operating system device-level encryption. What this means is that an MDM policy is required to enforce the device passcode that guarantees the encryption. In this scenario, MDM can’t be decoupled from MAM, so users must accept IT having control of their entire device.
Citrix XenMobile Micro-VPN vs Per-App VPN. Don’t be fooled. Micro-VPN and Per-APP VPN are not the same thing. The Chart below shows the advantages of Micro-VPN when compared to Per-App VPN, but the bottom line is that Per-App VPN requires device level MDM enrollment.
XenMobile 10.3.5—available today—continues to build on Citrix’s strong foundation of MAM-first thinking.
XenMobile 10.3.5 MAM-first feature set:
- User certs for application authentication can now be distributed and managed without the requirement of MDM enrollment.
- Shared devices for MAM allows users who share a device to access personalized apps and data without having to re-enroll the device.
- Self-destructing MAM policy allows IT to set inactivity time limits for the MDX container. For example, if a user’s personal device was lost or stolen while in airplane mode, a MAM policy can be applied to initiate an offline action to self destruct the container.
- Over 50+ MAM-only policies supported today with no requirement for an MDM profile.
- MAM-only 2 factor authentication with single sign-on for all managed apps.
- One PIN to access all corporate apps protected by Touch ID.
Others may be able to offer MAM via MDM, but only Citrix XenMobile can offer a MAM-only solution with true application layer encryption.
Moving forward, Citrix is committed to a MAM-first approach for securing data and applications in the mobile workspace. The XenMobile MDM independent architecture has allowed us to rapidly develop and innovate in the area of mobile security that doesn’t require MDM device enrollment.
For more information on XenMobile MDX technology please click HERE for a non-fenced whitepaper.